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1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
10/23/07 has been entered. 

The examiner will address applicant's arguments at the end of this office action. 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

2. Claims 1-25,27,28,30-56,58,60-89,119-122, are rejected under 35 U.S.C. 101 
because the claimed invention is directed to non-statutory subject matter. 

For claims 1,16-18,24,31,63,76, it is claimed that a "detection rating" is 
determined, a QFD score is calculated, and it is claimed that a PRN is calculated using 
a specific formula. Each independent claim now requires that a "detection rating" be 
determined. The examiner takes notice of the fact that it is a person that decides what 
values the variables of "detection rating", "severity rating", and "process strength rating" 
are supposed to have. The examiner also notes that the specification provides no 
guidance on how one should go about determining the correct values for these 
variables, so that the result would be useful and would be repeatable. With respect to 
the "severity" and "process strength" ratings, the QFD is calculated from the 
multiplication of these two values together, see page 16 of the instant specification. 
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Because all of the variables used to calculate the QFD score are disclosed as being 
determined by people and because there is no guidance given on how to go about 
choosing the appropriate values for these variables, the result of the invention is not 
considered to be concrete (i.e. it is not capable of being repeated to arrive at a particular 
result). The same is true for the "detection rating". This is disclosed as being 
determined by people, see page 17 of the specification. No guidance is given on how to 
go about choosing the detection rating value. Because of the fact that different people 
may ascribe different values to the variables used in the equation, and because no 
guidance is given on how to go about choosing the values for the "detection rating", 
"severity rating", and "process strength rating", the result is not guaranteed. The claim 
is not statutory because the result is not concrete (i.e. it is not capable of being repeated 
due to the human factor). The input is judgmental and will vary from person to person 
so the result will vary as well. The same holds true for claim 24 that recites the 
variables used to calculate a PRN, the values used in the equation are determined by 
people and are judgmental in nature; therefore, the claim does not have a concrete 
result. Additionally, because the results are not concrete, the examiner does not see 
how the result is useful in the context of 35 USC 101 . Because the calculated QFD 
score and PRN are only as accurate as the inputted data is accurate, the result is not 
considered to be useful. If the result can vary depending on the person deciding what 
values the variables of the equation are supposed to have, and no guidance is given to 
allow two people to reasonably know how to determine the correct numbers, then one 
cannot have any confidence in the obtained result, because it is only as good as the 
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data inputted into the equation, which is determined by people with no standards to go 
by. There is no guarantee that the result obtained is even accurate, because the entire 
equation is based on a person's perception and judgments as to what the "detection 
rating", "severity rating", and what the "process strength rating" is. 

3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

4. Claims 1-25,27,28,30-56,58,60-89,119-122, are rejected under 35 U.S.C. 112, 
first paragraph, as failing to comply with the enablement requirement. The claim(s) 
contains subject matter which was not described in the specification in such a way as to 
enable one skilled in the art to which it pertains, or with which it is most nearly 
connected, to make and/or use the invention. 

For claims 1 ,31 ,63,76, it is claimed that a "detection rating" is determined. Each 
independent claim now requires that a "detection rating" be determined. The examiner 
takes notice of the fact that it is a person that decides what values the variables of 
"detection rating" is supposed to have. The examiner notes that the specification 
provides no guidance on how one should go about determining the correct values for 
this variable, so one of skill in the art would be left guessing on how to do what is 
claimed. The "detection rating" is disclosed as being determined by people, see page 
17 of the specification. People determine what the detection rating is going to be, and 
no guidance is given on how to go about choosing the value for the detection rating. 
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How would one of skill in the art to do what is claimed? The only way they could do it is 
by guessing or randomly picking a value for the detection rating. This does not teach to 
one of skill in the art how to go about and use the claimed invention. How is the 
detection rating arrived at? Because this is not disclosed, and because it is disclosed 
that a person chooses the value, the claim is not considered to be enabled. There is 
not enough of a disclosure to allow one of skill in the art to make and use the claimed 
invention without undue experimentation (which is present due to the lack of guidance). 

With respect to claims 31 ,63-89, and the recitation that the server prioritizes the 
compliance risks for the business, identifies potential failure modes with causes and 
effects, and recommends risk monitoring and control mechanisms, one of skill in the art 
would not be able to make the server do what is claimed. This is because the applicant 
has disclosed that it is people that do these steps, not the server. One of skill in the art 
would not be able to figure out how to get the server to prioritize the risks because this 
depends on what the business sees as the most risky based on any known 
consequences that may happen if the risk materializes. How would one of skill in the art 
go about making the server prioritize the risks, especially for a plurality of different 
business settings that have different compliance issues that need to be dealt with? How 
is this done? How can the server know what to do? With respect to identifying failure 
modes and the causes and effects, how is this done by the server? How does the 
server know what possible failures could occur for any kind of business process? The 
same is true for the recommendation of risk monitoring and control mechanisms, how 
does the server do this? One of skill in the art would be left guessing how to program 
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the server to do what the specification disclosed is being done by people. The server is 
clearly used in the storing of data and in collecting/receiving the data, but the 
specification is full of references to the fact that it is people doing the majority of the 
actions, not the server . One of skill in the art would not be able to make the invention 
as claimed and undue experimentation would be involved to make the server to do what 
is claimed. The claims are not enabled because one of skill in the art would not be able 
to make a server that does everything that is claimed. 

For claims 63-89 the following paragraphs are relevant to what is claimed and 
these issues were not addressed by applicant in the most recent response to the last 
office action. 

For claims 32,33,35,36, the claim is not enabled. How can the server assemble 
the cross-functional team and conduct an interview with a person, etc.. As stated with 
respect to claim 31, people are disclosed as doing these steps, not the server. People, 
not the server, also do the summary of the results. One of skill in the art would not be 
able to make the server do what is claimed and undue experimentation would be 
involved. 

For claim 34, one of skill in the art would not be able to go about and make a 
server that can create a questionnaire as claimed. How can the server know what the 
business is and what questions should be asked? The server cannot do this step, 
people do. Applicant has not disclosed how one of skill in the art can make the server 
do what is claimed. 
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For claims 39-42, how would one of skill in the art go about making the server 
prioritize the risks deemed to be important to the business, especially when that is 
disclosed as being done by people. The server is not capable of knowing what the 
business management members know and cannot map a risk model; compile 
compliance requirements and prioritize them, assign a severity rating (disclosed as 
being done by people), etc.. One of skill in the art would not be able to make the server 
do what is claimed, especially in view of the fact that the specification discloses that 
people do these steps. The same is true for claim 40, the guidance from the 
specification does not include how to make the server do what is claimed because 
people do it. For claim 41 , how does the server compile a list of requirements that 
include company policy as well as the other recited requirements? The server does not 
compile the various requirements it is an employee that compiles the requirements. 

Claims 43-56,58,60-62 are also found to be non-enabled for the same reasoning 
as set forth above. The specification teaches that people compile the list of compliance 
requirements, people prioritize the risks, people assign severity ratings and process 
strength ratings, people map the risk model and identify possible failure modes, assign 
occurrence and detection factors, define recommended actions, etc.. 

For all of claims 31-56,58,60-89, Applicant has not given enough disclosure to 
enable one of skill in the art to make a computer system that has a server that does 
everything that is claimed. One of skill in the art reading the specification would be very 
confused because of the fact that it is disclosed that people do most of the recites steps, 
not the server. One of skill in the art would have to undergo undue experimentation to 
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design an intelligent system that can basically tell management what to do and more or 
less run the company with respect to compliance issues. The way the claims are 
written it is the server doing everything, but the specification teaches that most of the 
steps are done by people. The claims are not enabled for these reasons. 

5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claim 11 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 

For claim 1 1 , the step of "prioritizing compliance risk areas" is not clear because 
claim 1 already recites that the compliance risks are being prioritized. Is this the same 
step as recited in claim 1 , if not then what is the difference? Applicant has not 
addressed this in the remarks or amended this claim to correct this problem. 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

8. This application currently names joint inventors. In considering patentability of 
the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 
the various claims. was commonly owned at the time any inventions covered therein 
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were made absent any evidence to the contrary. Applicant is advised of the obligation 
under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 
not commonly owned at the time a later invention was made in order for the examiner to 
consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e), (f) or (g) 
prior art under 35 U.S.C. 103(a). 

9. Claims 1-16,18-23,25,27,28,30-45,47-53,55,56,58,60-89,119-122 are rejected 
under 35 U.S.C. 103(a) as being unpatentable over Fetherston (20020120642) in view 
of Buddie et al. (6912502). 

For claims 1,3,5,6,11-16,18,19,21,23,31,39-45,47,48,51,52,63-65,68-89, 
Fetherston discloses a system and method of determining a company's compliance with 
legislative conditions and/or internal managerial conditions. Fetherston discloses a 
compliance management system that determines and identifies compliance or lack of 
compliance with certain criteria (relating to processes or products of business). The 
server is 2 and the database is 4 and/or 16; The client system is disclosed in paragraph 
28 where it is disclosed that the system can be a "stand alone" computer or may be 
connected to other components (computers) of a network. It is also stated that the 
system can be implemented on separate networked computers accessible from all or 
selected levels of an organization. Information concerning compliance is stored in the 
database as claimed. This includes a questionnaire (see figure 4, paragraphs 34 and 
38) and compliance requirements (see paragraph 12). Also see figure 4 where it is 
disclosed that one of the data entries is the "Department". Identifying the department 
also identifies the persons responsible for compliance (i.e. the employees in that 
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department). In paragraph 38 it is disclosed that a user is forced to follow a process 
and pattern of data entry (by using a computer) to collect data needed to determine the 
level of compliance with the saved compliance requirements. This involves the 
displaying of the questionnaire of figure 4 on a client system (a computer) that is 
inherently based on saved compliance information relating to whatever requirements 
have to be complied with. The server 2 then receives the entered data, and saving the 
data "processes" the data. The system also prioritizes the compliance risk for a 
business by identifying the compliance risks arid prioritizing them from high to low 
based on a severity rating. Paragraph 42 discloses the identification of hazards (risks) 
that exceed a certain rating. This satisfies the claimed identification of the compliance 
risks. Assigning a numerical priority to each risk by using a "risk assessment rating" 
prioritizes the identified risks. The risk assessment rating satisfies the claimed "severity 
rating". The calculating of a risk prioritization number (RPN) for each risk is satisfied by 
the disclosure that "the user may specify the threshold value, enabling an organization 
to concentrate first on high priority hazards by specifying a high threshold, then lowering 
the threshold to concentrate on lower priority hazards". The user "calculates" or figures 
out how important each risk is at the present time (based on factors which inherently 
include current compliance with certain criteria, which is saved data stored in the 
database) to arrive at a prioritization number (threshold value) for each risk. Once the 
various risks are analyzed and management is aware of potential problems, 
implementation of controls such as training can be done. The database also stores 
information on training to be given (a control). The language reciting that the RPN is 
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"directly related to current controls in place and the detection rating" is noted but is not a 
further method step and is not reciting any further structure that would be different from 
that which is disclosed by Fetherston. Clearly the RPN of Fetherston is related to 
current controls and place and the detection rating because this number is inherently 
related to this kind of information. 

Not specifically disclosed is the step of identifying failure modes with the causes 
and effects of the compliance failure modes along with the storing of this data in the 
database (also relates to the claimed FEMA for claim 11). Also not disclosed is the act 
of identifying the current control in place and a detection rating that represents whether 
or not the current controls that are in place will detect compliance failure modes. 

Also not disclosed is the use of a dashboard to summarize actions to be taken 
and key metrics as has been added to the independent claims. This will be addressed 
after the limitations of the preceding paragraph have been addressed. 

When one receives an indication that certain legislative requirements (or internal 
company criteria) are not being met, one of ordinary skill in the art would obviously want 
to know why that is happening, so that the problem can be fixed. One of ordinary skill in 
the art would also find it desirable to have some form of controls in place to detect when 
a condition may be violated as well as having a way to assess the effectiveness of the 
current controls. It is clear that one of ordinary skill in the art would not want to violate 
any compliance requirements and would take steps to ensure proper compliance. Upon 
receiving information that indicates failure to comply with certain compliance 
requirements, one of ordinary skill in the art at the time the invention was made would 
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have been motivated and found .it obvious to identify the failure modes for each risk, 
with the associated causes and effects of those failure modes so that the problem can 
be corrected (by taking actions). This is how one of ordinary skill in the art would go 
about correcting the non-compliance issues identified. You must first identify the 
problem and figure out why it is happening (causes/effects) before you can arrive at a 
solution (an action). This is something that is obvious to one of ordinary skill in the art 
based on their knowledge and based some common sense in problem solving. You 
cannot correct a problem if you do not know why it is occurring. One of ordinary skill in 
the art would have been motivated to do what is claimed. With respect to having 
current controls in place to detect the failure modes, this is something that one of 
ordinary skill in the art would also find desirable. This is because one of ordinary skill in 
the art would find it desirable to ensure that you do not violate any compliance 
requirements. To ensure that you do not violate any compliance requirements, one 
must ask the question of how can this be done? One of ordinary skill in the art would 
have clearly considered monitoring by having some form of "controls" in place, so that 
any potential issues of non-compliance can be identified before they become a real 
issue. This is something that one of ordinary skill in the art would find desirable based 
on the problem being addressed and the level of knowledge that one of ordinary skill in 
the art has. With respect to the detection rating, this is taken as just an assessment of 
the controls in place that are to detect failure modes. Clearly, if you are using controls 
to identify failure modes, you must have some confidence with the current controls and 
must have some level of confidence that they will work as intended and will identify 
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failure modes. One of ordinary skill in the art would have been motivated to also assess 
the controls that are in place as far as their effectiveness is concerned. It would have 
been obvious to one of ordinary skill in the art at the time the invention was made to 
have some controls in place to detect failure modes and to also have a detection rating, 
that is an assessment of the overall effectiveness of the current controls. Also 
considered to be obvious is that recommended actions would be implemented to reduce 
the risk associated with each compliance risk that was identified. This is the reason you 
are looking at the risks in the first place. You want to take actions that will reduce the 
risk for each compliance risk. With respect to the storing of the data in the database, 
the Background of the invention section states that some legislation requires employers 
"to provide an audit trail of their actions that is sufficiently transparent to show that they 
have an effective management program which includes hazard identification, 
appropriate training and supervision of staff, recording details", etc.. One of ordinary 
skill in the art at the time the invention was made would have been motivated to save all 
of the compliance data in the database to ensure that there is a transparent audit trail 
that would be evidence of management doing what they are supposed to be doing as 
far as compliance monitoring goes. 

With respect to having a dashboard that summarizes actions to be taken and key 
metrics, Buddie discloses a system and method for compliance management. Buddie 
specifically discloses that a dashboard is used to identify compliance issues and to 
collect, process, and display compliance data. See column 4, line 62 to column 5, line 8 
and column 6, line 46 to column 7, line 23. Using a dashboard for compliance 
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monitoring is known and disclosed by Buddie. It would have been obvious to one of 
ordinary skill in the art at the time the invention was made to provide Fetherston with a 
"policy dashboard" so that key data regarding compliance issues can be summarized 
and so that recommended actions can be monitored. With respect to the data that 
applicant is claiming the dashboard as summarizing, this is taken as non-functional 
descriptive material because the data is never actually used in any further steps. Data 
that is simply displayed on a screen and never used is not sufficient to be considered 
patentably distinguishing. However, in view of Buddie and the teaching of a dashboard 
for compliance monitoring, the examiner believes that the resulting structure is present 
in the 103 combination. Dashboards as claimed are not new and is something 
disclosed by Buddie. 

For claims 2,32,34,50, with respect to the limitation of defining what constitutes a 
yes answer, the examiner notes that paragraph 37 discloses that one of the formats for 
the questionnaire is a "true/false" type of format. That is the same as having yes or no 
answers. This inherently involves a previous determination as to what defines a yes 
(true) or no (false) answer so that the compliance assessment can be performed. 
People make up the forms and the questions, not the computer system. In Fetherston 
questionnaire answers are obtained, and results are complied and presented to 
management as claimed. Not disclosed is a "binary questionnaire", and the assembling 
of a cross functional team. With respect to the "binary questionnaire", the use of binary 
code is very old and well known in the art. Binary language is the basic language that 
computers use for data. It would have been obvious to one of ordinary skill in the art at 
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the time the invention was made to use a "binary" questionnaire because the use of 
binary code is very old and well known in the art and is something that one of ordinary 
skill in the art would readily be aware of. With respect to the assembling of a cross 
functional team, the examiner notes that applicant does not actually recite that the team 
does anything. One of ordinary skill in the art at the time the invention was made would 
have found it obvious to assemble a cross functional team (a team of employees) that 
would serve to help set up the entire compliance monitoring system and assist in 
determining what questions should be asked when a "true/false" format for the 
questionnaire is used. 

For claim 4, not specifically disclosed is the step of identifying failure modes with 
the causes and effects of the compliance failure modes along with the storing of this 
data in the database. When one receives an indication that certain legislative 
requirements (or internal company criteria) are not being met, one of ordinary skill in the 
art would obviously want to know why that is happening, so that the problem can be 
fixed. Upon receiving information that indicates failure to comply with certain 
compliance requirements, one of ordinary skill in the art at the time the invention was 
made would have been motivated to identify failure modes for each risk, with the 
associated causes and effects of those failure modes so that the problem can be 
corrected. This is how one of ordinary skill in the art would go about correcting the non- 
compliance issues identified. You must first identify the problem and figure out why it is 
happening (causes/effects) before you can arrive at a solution. One of ordinary skill in 
the art would have been motivated to do what is claimed. Also not disclosed is the 
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prioritizing actions that need to be taken and the developing of a scorecard to be used 
as a monitoring and reporting tool. With respect to the prioritizing of actions that need 
to be taken, when one determines the reason why non-compliance is occurring and 
develops a proposed solution (actions that need to be taken), one of ordinary skill in the 
art at the time the invention was made would have been motivated to prioritize those 
actions that need to be taken so more effort can be spent on those actions that will 
provide more of a positive result, so that effort is not spent on actions that have a small 
effect on the problem. With respect to the development of a policy scorecard, one of 
ordinary skill in the art at the time the invention was made would have found it obvious 
to have some manner by which one could grade the efforts of management in 
compliance monitoring and in correcting any issues of non-compliance. This is 
interpreted to be the mere assessment or appraisal of the company in its efforts to 
ensure company compliance and in fixing the problems. Appraisals or reports on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

With respect to claim 7, in addition to that disclosed above, not disclosed is 
ensuring that the actions are completed in a timely manner. One of ordinary skill in the 
art at the time the invention was made would have been motivated to ensure that any 
corrective actions that need to be taken are done in a timely manner, so that the 
identified non-compliance risks will not continue. Timely completion of taking action to 
correct the problems is something that one of ordinary skill in the art would clearly 
appreciate. 
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For claims 8,33,35,36,66,67, the questionnaire is a "question owners matrix". It 
is a matrix of questions to be answered. The use of a knowledge base is the use of the 
computer system and the stored data. That is a knowledge base. 

For claims 9,37, not disclosed is the use of a spreadsheet to compile the results. 
It is old and well known in the art that spreadsheets are used to process data and 
display data for anything one desires. One of ordinary skill in the art would have this 
fact in their knowledge. It would have been obvious to one of ordinary skill in the art at 
the time the invention was made to use a spreadsheet to display results data, because 
spreadsheets are well known as being a commonly used format to display data and is 
something that one of ordinary skill in the art would understand and appreciate. 

For claims 10,30,38, not disclosed specifically is the use of a program 
assessment summary and a policy assessment summary. Taking into consideration 
that the reason you are tracking compliance data is to ensure that you are in 
compliance with certain regulations or criteria and given that summary data is complied 
in Fetherston, it would have been obvious to one of ordinary skill in the art at the time 
the invention was made to present the upper members of management with a summary 
of how the "compliance program" is going by having a program assessment (is the 
program working and achieving real world results that justify the program's existence) 
and a policy summary, that summarizes what policies (i.e. training programs) are 
working or not working. One of ordinary skill in the art would have been motivated to 
summarize the results as claimed. 
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For claims 1 1 ,39, not disclosed is the mapping of a high level business risk 
model and a quality function deployment. With respect to the risk model, one of 
ordinary skill in the art would have found the use of a risk model (very broad language) 
as obvious, because this is the way that one would go about analyzing the risk to a 
company. You would construct a risk model, which can simply be a report of the 
possible risks and how they may affect the company. With respect to the quality 
function deployment, as this is best understood by the examiner, this is the use of a 
matrix to summarize the compliance requirements (from page 12 of the instant 
specification). The use of a matrix is old and well known in the art. One of ordinary skill 
in the art would have found the use of a matrix obvious because one of ordinary skill in 
the art would recognize that matrixes can be used to summarize any kind of data one 
desires. 

For claims 20,49, not disclosed is the identifying of the top 3-5 compliance 
requirements that have the highest risk. One of ordinary skill in the art would clearly be 
the most concerned with those compliance areas that have the greatest risk. This is 
just obvious common sense that one of ordinary skill in the art would recognize. With 
respect to determining the top 3-5 compliance requirements, one of ordinary skill in the 
art would find it obvious to not just focus on one compliance risk area, but to focus on a 
plurality of the top areas of concern. Depending on the number of compliance areas in 
need of attendance, one of ordinary skill in the art would have found it obvious to 
identify the top 3-5 compliance requirement that have the greatest risk to the business, 
so that those risks can be minimized. 
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For claims 22,53, not specifically disclosed is determining failure modes for each 
step in a process. In the rejection for claim 1 , the issue of determining failure modes 
and causes and effects was addressed. With respect to determining failure modes for 
each step in a process, one of ordinary skill in the art would have been motivated to do 
a complete failure mode analysis, which would involve looking at all steps of a process 
where failures could occur. One of ordinary skill in the art would be motivated to look at 
the entire process, not just one step, so that the analysis would be complete and as 
accurate as possible. With respect to brainstorming potential effects, this is part of the 
determination of the cause and effects that has been previously addressed. 
Brainstorming is just coming up with what the effects could be. 

For claims 25,55,56, not disclosed is the step of entering the recommended 
actions, an owner, and an expected date of completion into the matrix. The limitation of 
determining actions to be taken has already been addressed. With respect to the 
entering of these actions in addition to an owner and an expected completion date, one 
of ordinary skill in the art would have been motivated to track the recommended actions, 
who is responsible for ensuring they are followed through on, and when it is expected 
that they are going to be completed. This is information that one of ordinary skill in the 
art would have recognized as being important. If you take the time to formulate some 
actions that can be taken to minimize the risk to a company, you would also be 
motivated to track the progress of those actions and document who is responsible for 
ensuring that those actions are undertaken, along with dates of when it will be 
completed, so that the management personnel overseeing the implementation of these 
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actions will know what they are doing, who is doing it, and what the timeline is for the 
progress of those actions. One of ordinary skill in the art would have been motivated to 
do what is claimed. 

For claims 27, not disclosed is the monitoring the progress. When one is using 
the method of Fetherston to address compliance risks, one of ordinary skill in the art 
would have been motivated to revisit the issues at a later point in time to see whether or 
not the risk of non-compliance has gone down (monitoring the progress). 

For claims 28,58, with respect to the use of a policy scorecard, one of ordinary 
skill in the art at the time the invention was made would have found it obvious to have 
some manner by which one could grade the efforts of management in compliance 
monitoring and in correcting any issues of non-compliance. This limitation is interpreted 
to be the mere assessment or appraisal of the company in its efforts to ensure company 
compliance and in fixing the problems. Appraisals or reports (scorecards) on the 
performance of a company or a part of a company are nothing new (i.e. GAO reports of 
the Federal Government). 

For claims 60-62, the prior art is fully capable of operating as claimed. The 
server can receive information in any of the claimed manners. 

For claims 119-122, when one has recommended an action to be taken, as these 
claims require, one of ordinary skill in the art would clearly find it desirable to monitor 
the status of the recommended action (with updates) and one would naturally want to 
know if the action has completed or not. This is so that one can be assured that the 
action has been completed and when that has been done, one would naturally want to 
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reassess the level of risk now associated with that compliance risk, especially after 
some action has been taken to reduce that risk. Once a risk is identified and one 
determines that the risk needs to be lowered, one takes steps to do so, such as by 
implementing control measures as already addressed by the examiner. When one is 
trying to lower risk, they are interested in finding out whether or not the risk has actually 
been reduced by whatever action has been taken. To recalculate the risk associated 
with a compliance risk, after an action has been taken to hopefully reduce that risk is 
considered to be obvious. One of ordinary skill in the art at the time the invention was 
made would have found it obvious to recalculate the risk as claimed (the PRN) after an 
action has been taken (which is required by the claims). 

10. Applicant's arguments filed 10/23/07 have been fully considered but they are not 
persuasive. 

With respect to the traversal of the 35 USC 101 rejection, it is not persuasive. 
Applicant has argued that an experienced risk assessor would be able to figure out how 
to value the detection rating, severity rating, and process strength rating. At the outset 
the examiner notes that applicant has not introduced any kind of evidence from an 
experienced risk assessor, and notes that there is no evidence of record that shows that 
applicant's counsel is an experienced risk assessor. It is also not clear what an 
"experienced risk assessor" means. The portions of the specification cited by applicant 
in support of their arguments clearly state things such as "the risks are analyzed by the 
team ", and "the effect of each failure mode is determined by the team , who then try to 



Application/Control Number: 09/848,051 Page 22 

Art Unit: 3629 

identify the potential causes ". Human beings and their subjective thoughts, opinions, 
and decisions come into play during the process of determining the detection rating, 
severity rating, and process strength rating. Applicant has referred to the specification 
where it is taught that "the standard rating system includes values from one to ten" and 
that the ratings are using this kind of a system. The decision as to what value each of 
the various ratings is supposed to have is to be decided by human beings and is a 
subjective analysis that is not concrete. It is disclosed that a value of one means "a 
remote likelihood of occurrence" and a value of ten means "failure is assured". The 
issue of "remote likelihood" and "assured" is itself very subjective and depends on what 
one person feels satisfies "remote" and "assured". There is no guarantee that any two 
or more people will naturally agree on the same definition for these broad terms. There 
is no showing or reason to conclude that this decision is such that there is substantial 
repeatability in that two given people or teams of people will arrive at substantially the 
same solution. This is especially true because this method could be used for any kind 
of business and with totally different kinds of possible risks that need to be valued. 
There is no qualitative manner by which this number is arrived at because it is left up to 
human beings and their opinions and judgments to decide what values the ratings are to 
have. How can one go about and figure out whether or not a value of 2 is appropriate 
versus a 3 or possibly a 4? What are the values between one (remote chance) and ten 
(assured) supposed to have as far as meaning goes? What if there is a reasonable 
chance? Is this a 6 or a 7 or maybe an 8? This decision will necessarily affect the end 
result of the method. There is insufficient guidance given in the specification and in the 
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opinion of the examiner, this process is not concrete as is required by 35 USC 101. The 
same is true for the other ratings at issue. The fact that the detection rating, severity 
rating, and process strength rating are given values by human beings, and given that 
this will necessarily depend on the opinions and judgments of humans as to what 
constitutes a "remote" chance or "assured" chance, the examiner has concluded that 
the claims do not comply with 35 USC 101 and are not directed to an invention that is 
considered to be concrete. Because humans are involved and the human mind is 
subjectively deciding what values these ratings are to have, the result is not 
substantially repeatable to an extent that the same result can be produced as is 
required by 35 USC 101 . With respect to the QFD score, which is determined by a 
mathematical equation that uses the human decided values for the detection rating, 
severity rating, and process strength rating, this is also not substantially repeatable to 
an extent that the same result can be produced as is required by 35 USC 101. The 
rejection is being maintained. Applicant's arguments for the QFD score are the same 
as for the detection rating, severity rating, and process strength rating. Applicant also 
stated that they assumed that the examiner also rejected the dependent claims for the 
same reason, but that the action did not state such. The statement from the last office 
action of " Claims 1-25,27-56,58-89, 119-122, are rejected under 35 U.S.C. 101 because 
the claimed invention is directed to non-statutory subject matter 3 ' is a statement rejecting 
all the claims, not just the independent claims. All the claims have and are rejection 
under 35 USC 101. 
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With respect to the enablement rejection under 35 USC 1 12,1 st , it is not 
persuasive. Applicant has relied essentially upon the arguments addressed above for 
the 101 rejection and applicant has stated that having a rating system of from 1-10 
enables the claims because an experienced risk assessor would understand what 
values to give the various ratings. It is disclosed that a value of one means "a remote 
likelihood of occurrence" and a value of ten means "failure is assured". The issue of 
"remote likelihood" and "assured" is itself very subjective and depends on what one 
person feels satisfies "remote" and "assured". There is no qualitative manner by which 
this number is arrived at because it is left up to human beings and their opinions and 
judgments to decide what values the ratings are to have. How can one go about and 
figure out whether or not a value of 2 is appropriate versus a 3 or possibly a 4? What 
are the values between one (remote chance) and ten (assured) supposed to have as far 
as meaning goes? What if there is a "reasonable" chance? Is this a 6 or a 7 or maybe 
an 8? How will one of skill in the art know what value between one and ten is to be 
chosen? The claims are not considered to be enabled due to the lack of sufficient 
guidance given to enable one to properly value the various ratings and calculate the 
QFD score. 

For the 1 12,1 st and claims 31 ,63-89, applicant has not presented a traversal 
regarding these claims and how the server prioritizes the risks, identifies failure modes, 
etc.. The rejection is maintained for this reason. The rejection is deemed proper. 

For the 112,1 st and claims 32,33,35, and 36, how can the server assemble the 
cross-functional team and conduct an interview with a person, etc.? The specification 
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discloses that people are the ones doing these steps, not the server. People, not the 
server, also do the summary of the results. Applicant is claiming that the server does 
steps that the specification discloses are actually done by people. Because of this it is 
not disclosed how to make the server do what people are disclosed as doing. One of 
skill in the art would not be able to make the server do what is claimed and undue 
experimentation would be involved. The arguments are not persuasive. 

For the 1 12,1 st of claim 34, applicant has relied upon a portion of the specification 
that teaches the storage of a questionnaire in a database. The claim recites that the 
server "creates" the questionnaire, not storing it. People are the ones that created the 
questions because they must related to the business and the risks that business is 
concerned about. How can the server know what the business is and what questions 
should be asked? The server cannot do this step, people do and this fact is disclosed in 
the specification. Applicant has not disclosed how one of skill in the art can make the 
server do what is claimed. The rejection is being maintained. 

For the 1 12,1 st of claims 39-42, applicant has relied upon a portion of the 
specification for a showing that the server can compile results and do what is claimed in 
claims 39-42. As an example, claim 39 recites that the server is configured to prioritize 
the risks. The cited portion of the specification applicant has relied upon specifically 
states that "Resources used to prioritize risks may include functional leaders, 
compliance leaders, compliance experts, policy owners, a management team f and legal 
counsef. The server does not do this, people do. How can applicant argue that the 
server "assigns a severity rating" which is claimed in claim 39 also? Applicant has 
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specifically argued that an experienced risk assessor does this? How does the server 
do what applicant has argued is being done by people? Applicant has not addressed 
the totality of what has been claimed as being done by the server that is really disclosed 
as being done by people. The rejection is being maintained. 

For claims 43-62, and claims 31-89, applicant has argued that the use of a server 
to do what is claimed is enabled. The claims do not recite "the use of a server (by 
people) but recites that the server actually does it. There is a difference. How can 
applicant argue that the server "assigns a severity rating" which is claimed in claim 
these claims? Applicant has specifically argued that an experienced risk assessor does 
this? So how is this enabled? The cited portion of the specification applicant has relied 
upon specifically states that "Resources used to prioritize risks may include functional 
leaders, compliance leaders, compliance experts, policy owners, a management team, 
and legal counsef 1 . The server does not do the prioritization, people do. How is the 
server made to do what people are disclosed as doing? Applicant is more or less just 
alleged that the claims are enabled and has only addressed a small portion of what is 
claimed in claims 43-62,31-89, which is not persuasive. The rejection is being 
maintained. 

For the 1 12,2 nd rejection to claim 1 1 and the issue of the recitation of prioritizing 
the compliance risks, applicant in their remarks did not address this and the claim has 
not been amended to correct this problem. The rejection and issue remains. 

For the prior art traversal, applicant has argued that Fetherston does not disclose 
the creation of a policy dashboard as is claimed. This argument is deemed moot based 
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on the new grounds of rejection because of the use of Buddie as a teaching reference 
for this limitation. A dashboard as claimed is not novel and is known in the prior art as 
the prior art rejection states. 

Applicant has argued is that is considered novel to store compliance information 
in a database. With respect to the storing of this data in a database, this has been 
addressed in the 103 rejection and is considered to be obvious. The examiner has 
stated that "With respect to the storing of the data in the database, the Background of 
the invention section states that some legislation requires employers "to provide an 
audit trail of their actions that is sufficiently transparent to show that they have an 
effective management program which includes hazard identification, appropriate training 
and supervision of staff, recording details", etc.. One of ordinary skill in the art at the 
time the invention was made would have been motivated to save all of the compliance 
data in the database to ensure that there is a transparent audit trail that would be 
evidence of management doing what they are supposed to be doing as far as 
compliance monitoring goes." The applicant has not addressed this analysis and 
reasoning and the entire argument is not much more than a general allegation of 
patentability. Applicant needs to address the rationale set forth by the examiner and 
explain why it is incorrect and why the storing of the data in a database is not obvious. 
This has not been done. The statement that there is no motivation disclosed to do this 
is noted but is ignoring the statements from the examiner. 

Overall, applicant has argued and stated what they believe Fetherston does not 
disclose, but has not really addressed the rejection as set forth by the examiner. 
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Without some further explanation and analysis of the prior art and the rejection as set 
forth by the examiner these arguments are taken as mere allegations of patentability. 
Just stating that the reference does not disclose A and B, without explaining why, is not 
persuasive. The examiner has stated why certain limitations read on Fetherston and 
has stated why others are considered obvious and applicant has not addressed them on 
the merits, other than to say that Fetherston does not disclose them. 

For the RPN calculation, applicant has argued that the interpretation from the 
examiner is in error. The examiner disagrees. The claim does not recite or require that 
the calculated RPN be based on current controls in place and the detection rating as 
has been argued. The language reciting that the RPN is "directly related to current 
controls in place and the detection rating" is noted but is not a further method step and 
is not reciting any further structure that would be different from that which is disclosed 
by Fetherston. Clearly the RPN of Fetherston is related to current controls and place 
and the detection rating because this number is inherently related to this kind of 
information. The RPN is only claimed as being calculated based on "the data stored in 
the database". The argument is not commensurate with the scope of the claims. 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Dennis Ruhl whose telephone number is 571-272-6808. 
The examiner can normally be reached on Monday through Friday. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Weiss can be reached on 571-272-6812. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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